Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add Ethereum and Solana feature policy #13783

Merged
merged 5 commits into from
Jul 5, 2022
Merged

Add Ethereum and Solana feature policy #13783

merged 5 commits into from
Jul 5, 2022

Conversation

bbondy
Copy link
Member

@bbondy bbondy commented Jun 14, 2022
edited
Loading

Resolves brave/brave-browser#23572
Resolves brave/brave-browser#23710

Submitter Checklist:

  • I confirm that no security/privacy review is needed, or that I have requested one
  • There is a ticket for my issue
  • Used Github auto-closing keywords in the PR description above
  • Wrote a good PR/commit description
  • Squashed any review feedback or "fixup" commits before merge, so that history is a record of what happened in the repo, not your PR
  • Added appropriate labels (QA/Yes or QA/No; release-notes/include or release-notes/exclude; OS/...) to the associated issue
  • Checked the PR locally: npm run test -- brave_browser_tests, npm run test -- brave_unit_tests, npm run lint, npm run gn_check, npm run tslint
  • Ran git rebase master (if needed)

Reviewer Checklist:

  • A security review is not needed, or a link to one is included in the PR description
  • New files have MPL-2.0 license header
  • Adequate test coverage exists to prevent regressions
  • Major classes, functions and non-trivial code blocks are well-commented
  • Changes in component dependencies are properly reflected in gn
  • Code follows the style guide
  • Test plan is specified in PR before merging

After-merge Checklist:

Test Plan:

I think there is sufficient coverage in automated tests and this would be too time consuming to manually test.

@bbondy bbondy force-pushed the ethereum-feature-policy branch 9 times, most recently from 6366d96 to c01ffb6 Compare June 20, 2022 21:05
@bbondy bbondy force-pushed the ethereum-feature-policy branch 2 times, most recently from 3aa96c2 to 9cfa6dd Compare June 27, 2022 20:48
@bbondy bbondy changed the title WIP Ethereum feature policy Add Ethereum and Solana feature policy Jun 27, 2022
bbondy
bbondy commented Jun 27, 2022
View reviewed changes
...s/third_party-blink-renderer-core-permissions_policy-permissions_policy_features.json5.patch
+ {
+ name: "Solana",
+ permissions_policy_name: "solana"
+ },
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

note to @bridiver this errors out if I try to combine it into 1 line. Not sure how it's being parsed but it's very sensitive.

@bbondy bbondy added this to the 1.42.x - Nightly milestone Jun 27, 2022
@bbondy bbondy requested a review from bridiver June 27, 2022 21:08
@bbondy bbondy marked this pull request as ready for review June 28, 2022 13:52
@bbondy bbondy requested review from a team as code owners June 28, 2022 13:52
This was referenced Jun 28, 2022
Closed
Closed
@bbondy bbondy force-pushed the ethereum-feature-policy branch 2 times, most recently from 298976b to 519577a Compare June 28, 2022 15:22
@bbondy bbondy requested a review from mkarolin June 28, 2022 16:41
mkarolin
mkarolin approved these changes Jun 28, 2022
View reviewed changes
Copy link
Collaborator

@mkarolin mkarolin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

chromium_src and patches LGTM

yrliou
yrliou approved these changes Jun 29, 2022
View reviewed changes
Copy link
Member

@yrliou yrliou left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@bbondy bbondy force-pushed the ethereum-feature-policy branch 2 times, most recently from 7e07542 to 505ee55 Compare June 29, 2022 16:36
@bbondy bbondy mentioned this pull request Jun 29, 2022
Merged
thypon
thypon reviewed Jun 29, 2022
View reviewed changes
Copy link
Member

@thypon thypon left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

.

renderer/brave_wallet/brave_wallet_render_frame_observer.cc
render_frame()->GetWebFrame()->IsCrossOriginToOutermostMainFrame()) ||
!render_frame()->GetWebFrame()->GetDocument().IsSecureContext()) {
// Wallet provider objects should only be created in secure contexts
if (!render_frame()->GetWebFrame()->GetDocument().IsSecureContext()) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this case already tested?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Are we guarding/testing against these case

  • Top level http://a.com/ with <iframe src=”[https://a.com](http://a.com/)”> -> blocked (insecure/3p)
  • Top level [https://b.com](http://a.com/) with <iframe src=”http://a.com/”> with <iframe src=”[https://b.com](http://a.com/)”> -> blocked (insecure)
  • Top level [https://a.com](http://a.com/) with <iframe src=”[https://a.com](http://a.com/)” sandbox> -> blocked (sandbox)
  • Top level data://foo with <iframe src=”data://bar”> -> blocked (insecure)
  • Top level file://foo with <iframe src=”file://bar”> -> blocked (3p)

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Top level https://a.com with <iframe src=”[https://a.com](http://a.com/)” sandbox> -> blocked (sandbox)

Spent too long trying to find a way to test this but the test relies on running JavaScript and JavaScript can't be run. I don't think we need to test that the Ethereum object exists here because no JS exists at all.

I'll have another update shortly with some others.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For the other ones rebased the missing ones (top level insecure) here:
f6dae30

@bbondy bbondy requested a review from thypon June 30, 2022 17:49
@bbondy bbondy merged commit 17d056c into master Jul 5, 2022
@bbondy bbondy deleted the ethereum-feature-policy branch July 5, 2022 18:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mkarolin mkarolin mkarolin approved these changes

@darkdh darkdh darkdh approved these changes

@yrliou yrliou yrliou approved these changes

@thypon thypon thypon approved these changes

@diracdeltas diracdeltas Awaiting requested review from diracdeltas

@bridiver bridiver Awaiting requested review from bridiver

Assignees

@bbondy bbondy

Labels
None yet
Projects
None yet
Milestone
1.43.x - Release
6 participants
@bbondy @bridiver @thypon @yrliou @darkdh @mkarolin